To evaluate a very simple formula (2 values and an operator), put all 3 in separate inputs and switch on the operator.

What if, instead of a number like you expected, I input:

Code:

2+3;phpinfo();

You'd run that through eval and you'd get 5...and I'd get the entire dump of your PHP.ini, including local passwords, filesystem paths, OS information, version information, patches, extensions...you may as well hand me the keys to your rack (assuming your racks are locked like they should be).

you shouldn't even try to "validate" the string by fumbling with regexes. There's a gigantic chance of f*cking that up, and if you do, you're screwed as ManiacDan already explained.

The rule "eval() is evil" exists for a reason. 99% of the time, using eval() is a really, really bad idea. Either it's a gigantic security hole, or it's a symptom of terrible programming.

In your case, the appropriate solution would be to use a seperate interpreter for those expressions. The interpreter can be a simple PHP program, or it can be an external tool you call from your PHP script.

Why canít I use certain words like "drop" as part of my Security Question answers?
There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

To evaluate a very simple formula (2 values and an operator), put all 3 in separate inputs and switch on the operator.

If you're input really will be as simple, or close to it, as your example, here is one possible expansion on ManiacDan:

Code:

strip white space
loop while input is not empty
use regex to find the first digit, maybe something like (\d+) and push it to an fifo array
push the next char onto the array
pop off the first value from the array, store as $total
loop while array is not empty
pop off the current operator
pop off the next value as $cur
$total=$total (operator) $cur

Of course this would break on anything with more than basic operators. But it should be safe with the obligatory input sanitization.